CBS recently fixed a vulnerability in its popular Sports application that could have exposed users to man-in-the-middle attacks and inadvertently leaked personal data. According to researchers, upon registration, users’ names, email addresses, account passwords, dates of birth, and zip codes were all sent over an unencrypted connection, in cleartext, to the app’s servers.

Both the Android and iOS versions of the app were guilty of poor encryption, according to researchers at Wandera, a mobile data security firm based in San Francisco who discovered the issue. The company’s threat intel team, led by Michael Covington, VP of Product, were poking around popular sports apps last month, monitoring spikes in mobile traffic when they came across the vulnerability. The discovery, which Wandera made on March 18, happened to coincide with perhaps the most popular time of the year that sports fans download and use the app, the March Madness NCAA basketball tournament. The service allows fans to track teams and scores, both on the app and on CBS’ website. It’s unclear exactly how many users have downloaded the app for iOS, but it has somewhere between five and 10 million installs on Android, according to Google’s Play marketplace.

“Instead of developing mobile properties with the same security development lifecycle that is used for other aspects of their infrastructure, we are seeing developers push out code that clearly was not tested for the most basic of vulnerabilities,” Covington told Threatpost.

 

CBSSports.com suffered from a similar vulnerability as it failed to encrypt users data, but only transmitted users’ email addresses and passwords in cleartext. Another portion of the site, a “Forgot User ID or password” section where users can reset their passwords leaked users’ email addresses. According to Covington, the issue with CBS Sports stemmed from a lack of HTTPS, something CBS addressed after Wandera reached out and disclosed the issue. “As more companies begin to offer services for mobile platforms, we are seeing time-to-market take precedence over security best practices,” Covington told Threatpost Monday, “Instead of developing mobile properties with the the same security development lifecycle that is used for other aspects of their infrastructure, we are seeing developers push out code that clearly was not tested for the most basic of vulnerabilities.” “What is particularly alarming about this practice is that we are seeing it from companies of all sizes.  The CBS Sports app is one of the top news and sports apps in the US market and this vulnerability impacted a large number of users who simply wanted to participate in a major sporting event.”